PFN_LIST_CORRUPT (4e)

NTDEV
1

Hi,
My virtual SCSI driver met a PFN_LIST_CORRUPT (4e) problem
on W2k advanced server SP2 with dual CPUs.
It doesn’t look like my code causes this problem( i wish).

Does anyone have experience with this type of error? Where should
i pay special attentions? Thanks in advance.

Following are some excepts from Windbg. Hope it can give you some
ideas about the problem.

Wei

1: kd> !analyze -v
****************************************************************************
***
*
*
* Bugcheck Analysis
*
*
*
****************************************************************************
***

PFN_LIST_CORRUPT (4e)
Typically caused by drivers passing bad memory descriptor lists (ie: calling
MmUnlockPages twice with the same list, etc). If a kernel debugger is
available get the stack trace.
Arguments:
Arg1: 00000007, A driver has unlocked a page more times than it locked it
Arg2: 00019fa0, page frame number
Arg3: 00000001, current share count
Arg4: 00000000, 0

Debugging Details:

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 4E

LAST_CONTROL_TRANSFER: from 80437570 to 8044c9af

STACK_TEXT:
ec0239e4 80437570 85445228 a6a16e90 00000104
nt!MiDecrementReferenceCount+0x37
ec0239fc 8041dc10 85445202 000000c9 a6a16e90 nt!MmUnlockPages+0x110
ec023a20 80527a60 b7fb4fdb b7fb4f68 00000000 nt!IopfCompleteRequest+0x1f4
ec023a38 ebcc333a 00000000 00020000 b7f84f40 nt!IovCompleteRequest+0xa4

1: kd> !pfn 19fa0
PFN 00019FA0 at address 86134700
flink 00000000 blink / share count 00000001 pteaddress C0294490
reference count 0000 color 0
restore pte 00000080 containing page 001054 Active M
Modified

1: kd> dd esp
ec0239cc 0000004e 00000007 00019fa0 00000001
ec0239dc 00000000 86134700 85445228 80437570
ec0239ec 85445228 a6a16e90 00000104 00000000
ec0239fc 00000001 8041dc10 85445202 000000c9
ec023a0c a6a16e90 ec023a38 80064c40 01003a28
ec023a1c 00000000 a6a24fc8 80527a60 b7fb4fdb
ec023a2c b7fb4f68 00000000 00a16e90 ec023a54
ec023a3c ebcc333a 00000000 00020000 b7f84f40

1: kd> ln 80437570
(80437460) nt!MmUnlockPages+0x110 | (80437596)
nt!MmBuildMdlForNonPagedPool

2

Ok, Lemme go again through this (Maybe it should go into a FAQ somewhere on
easy accesible place on WEB):

If you expect us to give you a reply to situation where the OS crashed,
then please , make an effort an give us enough data.

That means:

  1. Use a checked build of the OS
  2. Make sure you have installed correct OS symbols and your driver symbols
  3. Always Use latest version of Windbg, which is freely downloadable
  4. Load the crash dump into your debugger , and at least provide us the
    output of
    analyze -v
    5.If the system crashed before crash dump support is initialized and you are
    unable to use crash dump anlaysis commands, at least provide us a stack
    backtrace and complete Bugcheck information, (YES , this includes the
    4 magic parameters)

If you dont follow those steps, then dont even bother to waste our time. In
most of cases , crash analysis is
not trivial and we cant help you unless you feed us with information.

In your case for example, the Parameter 1 of the bugcheck is very important
to determine the cause of the problem.
Whithout it, I can only guess , and I might be terribly wrong ,that you
encountered the most common form of this bugcheck, incorrect pairing of MDL
locking / unlocking.

----- Original Message -----
From: “chen, wei”
To: “NT Developers Interest List”
Sent: Wednesday, September 18, 2002 6:15 PM
Subject: [ntdev] PFN_LIST_CORRUPT (4e)

> Hi,
> My virtual SCSI driver met a PFN_LIST_CORRUPT (4e) problem
> on W2k advanced server SP2 with dual CPUs.
> It doesn’t look like my code causes this problem( i wish).
>
> Does anyone have experience with this type of error? Where should
> i pay special attentions? Thanks in advance.
>
> Following are some excepts from Windbg. Hope it can give you some
> ideas about the problem.
>
> Wei
>
>
> 1: kd> !analyze -v
>
*************************************************************************
>
> *
> *
> * Bugcheck Analysis
> *
> *
> *
>
*************************************************************************
>
>
> PFN_LIST_CORRUPT (4e)
> Typically caused by drivers passing bad memory descriptor lists (ie:
calling
> MmUnlockPages twice with the same list, etc). If a kernel debugger is
> available get the stack trace.
> Arguments:
> Arg1: 00000007, A driver has unlocked a page more times than it locked it
> Arg2: 00019fa0, page frame number
> Arg3: 00000001, current share count
> Arg4: 00000000, 0
>
> Debugging Details:
> ------------------
>
>
> DEFAULT_BUCKET_ID: DRIVER_FAULT
>
> BUGCHECK_STR: 4E
>
> LAST_CONTROL_TRANSFER: from 80437570 to 8044c9af
>
> STACK_TEXT:
> ec0239e4 80437570 85445228 a6a16e90 00000104
> nt!MiDecrementReferenceCount+0x37
> ec0239fc 8041dc10 85445202 000000c9 a6a16e90 nt!MmUnlockPages+0x110
> ec023a20 80527a60 b7fb4fdb b7fb4f68 00000000 nt!IopfCompleteRequest+0x1f4
> ec023a38 ebcc333a 00000000 00020000 b7f84f40 nt!IovCompleteRequest+0xa4
> …
> …
>
> 1: kd> !pfn 19fa0
> PFN 00019FA0 at address 86134700
> flink 00000000 blink / share count 00000001 pteaddress
C0294490
> reference count 0000 color 0
> restore pte 00000080 containing page 001054 Active M
> Modified
>
> 1: kd> dd esp
> ec0239cc 0000004e 00000007 00019fa0 00000001
> ec0239dc 00000000 86134700 85445228 80437570
> ec0239ec 85445228 a6a16e90 00000104 00000000
> ec0239fc 00000001 8041dc10 85445202 000000c9
> ec023a0c a6a16e90 ec023a38 80064c40 01003a28
> ec023a1c 00000000 a6a24fc8 80527a60 b7fb4fdb
> ec023a2c b7fb4f68 00000000 00a16e90 ec023a54
> ec023a3c ebcc333a 00000000 00020000 b7f84f40
>
> 1: kd> ln 80437570
> (80437460) nt!MmUnlockPages+0x110 | (80437596)
> nt!MmBuildMdlForNonPagedPool
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to %%email.unsub%%
>

3

Bah, Im an idiot, I just seen that your e-mail provide this . Im Sorry.

Who calls IoCompleteRequest , and what is the IRP is beeing currently
completed ? Do you try to unlock the MDL yourself, prior initiating Io
completion,
or in a completion routine ?

Dan

----- Original Message -----
From: “chen, wei”
To: “NT Developers Interest List”
Sent: Wednesday, September 18, 2002 6:15 PM
Subject: [ntdev] PFN_LIST_CORRUPT (4e)

> Hi,
> My virtual SCSI driver met a PFN_LIST_CORRUPT (4e) problem
> on W2k advanced server SP2 with dual CPUs.
> It doesn’t look like my code causes this problem( i wish).
>
> Does anyone have experience with this type of error? Where should
> i pay special attentions? Thanks in advance.
>
> Following are some excepts from Windbg. Hope it can give you some
> ideas about the problem.
>
> Wei
>
>
> 1: kd> !analyze -v
>
*************************************************************************
>
> *
> *
> * Bugcheck Analysis
> *
> *
> *
>
*************************************************************************
>
>
> PFN_LIST_CORRUPT (4e)
> Typically caused by drivers passing bad memory descriptor lists (ie:
calling
> MmUnlockPages twice with the same list, etc). If a kernel debugger is
> available get the stack trace.
> Arguments:
> Arg1: 00000007, A driver has unlocked a page more times than it locked it
> Arg2: 00019fa0, page frame number
> Arg3: 00000001, current share count
> Arg4: 00000000, 0
>
> Debugging Details:
> ------------------
>
>
> DEFAULT_BUCKET_ID: DRIVER_FAULT
>
> BUGCHECK_STR: 4E
>
> LAST_CONTROL_TRANSFER: from 80437570 to 8044c9af
>
> STACK_TEXT:
> ec0239e4 80437570 85445228 a6a16e90 00000104
> nt!MiDecrementReferenceCount+0x37
> ec0239fc 8041dc10 85445202 000000c9 a6a16e90 nt!MmUnlockPages+0x110
> ec023a20 80527a60 b7fb4fdb b7fb4f68 00000000 nt!IopfCompleteRequest+0x1f4
> ec023a38 ebcc333a 00000000 00020000 b7f84f40 nt!IovCompleteRequest+0xa4
> …
> …
>
> 1: kd> !pfn 19fa0
> PFN 00019FA0 at address 86134700
> flink 00000000 blink / share count 00000001 pteaddress
C0294490
> reference count 0000 color 0
> restore pte 00000080 containing page 001054 Active M
> Modified
>
> 1: kd> dd esp
> ec0239cc 0000004e 00000007 00019fa0 00000001
> ec0239dc 00000000 86134700 85445228 80437570
> ec0239ec 85445228 a6a16e90 00000104 00000000
> ec0239fc 00000001 8041dc10 85445202 000000c9
> ec023a0c a6a16e90 ec023a38 80064c40 01003a28
> ec023a1c 00000000 a6a24fc8 80527a60 b7fb4fdb
> ec023a2c b7fb4f68 00000000 00a16e90 ec023a54
> ec023a3c ebcc333a 00000000 00020000 b7f84f40
>
> 1: kd> ln 80437570
> (80437460) nt!MmUnlockPages+0x110 | (80437596)
> nt!MmBuildMdlForNonPagedPool
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to %%email.unsub%%
>

4

hmm, it’s a SCSI irp i was trying to complete. But i didn’t
unlock the MDL associated with this irp. I did, however,
sent the MDL down to the TCP using TdiBuildReceive. Unless TCP
unlocks the MDL after it finishes receiving data, …

Wei

-----Original Message-----
From: Dan Partelly [mailto:xxxxx@rdsor.ro]
Sent: Wednesday, September 18, 2002 11:50 AM
To: NT Developers Interest List
Subject: [ntdev] Re: PFN_LIST_CORRUPT (4e)

Bah, Im an idiot, I just seen that your e-mail provide this . Im Sorry.

Who calls IoCompleteRequest , and what is the IRP is beeing currently
completed ? Do you try to unlock the MDL yourself, prior initiating Io
completion,
or in a completion routine ?

Dan

----- Original Message -----
From: “chen, wei”
To: “NT Developers Interest List”
Sent: Wednesday, September 18, 2002 6:15 PM
Subject: [ntdev] PFN_LIST_CORRUPT (4e)

> Hi,
> My virtual SCSI driver met a PFN_LIST_CORRUPT (4e) problem
> on W2k advanced server SP2 with dual CPUs.
> It doesn’t look like my code causes this problem( i wish).
>
> Does anyone have experience with this type of error? Where should
> i pay special attentions? Thanks in advance.
>
> Following are some excepts from Windbg. Hope it can give you some
> ideas about the problem.
>
> Wei
>
>
> 1: kd> !analyze -v
>
*************************************************************************
>
> *
> *
> * Bugcheck Analysis
> *
> *
> *
>
*************************************************************************
>
>
> PFN_LIST_CORRUPT (4e)
> Typically caused by drivers passing bad memory descriptor lists (ie:
calling
> MmUnlockPages twice with the same list, etc). If a kernel debugger is
> available get the stack trace.
> Arguments:
> Arg1: 00000007, A driver has unlocked a page more times than it locked it
> Arg2: 00019fa0, page frame number
> Arg3: 00000001, current share count
> Arg4: 00000000, 0
>
> Debugging Details:
> ------------------
>
>
> DEFAULT_BUCKET_ID: DRIVER_FAULT
>
> BUGCHECK_STR: 4E
>
> LAST_CONTROL_TRANSFER: from 80437570 to 8044c9af
>
> STACK_TEXT:
> ec0239e4 80437570 85445228 a6a16e90 00000104
> nt!MiDecrementReferenceCount+0x37
> ec0239fc 8041dc10 85445202 000000c9 a6a16e90 nt!MmUnlockPages+0x110
> ec023a20 80527a60 b7fb4fdb b7fb4f68 00000000 nt!IopfCompleteRequest+0x1f4
> ec023a38 ebcc333a 00000000 00020000 b7f84f40 nt!IovCompleteRequest+0xa4
> …
> …
>
> 1: kd> !pfn 19fa0
> PFN 00019FA0 at address 86134700
> flink 00000000 blink / share count 00000001 pteaddress
C0294490
> reference count 0000 color 0
> restore pte 00000080 containing page 001054 Active M
> Modified
>
> 1: kd> dd esp
> ec0239cc 0000004e 00000007 00019fa0 00000001
> ec0239dc 00000000 86134700 85445228 80437570
> ec0239ec 85445228 a6a16e90 00000104 00000000
> ec0239fc 00000001 8041dc10 85445202 000000c9
> ec023a0c a6a16e90 ec023a38 80064c40 01003a28
> ec023a1c 00000000 a6a24fc8 80527a60 b7fb4fdb
> ec023a2c b7fb4f68 00000000 00a16e90 ec023a54
> ec023a3c ebcc333a 00000000 00020000 b7f84f40
>
> 1: kd> ln 80437570
> (80437460) nt!MmUnlockPages+0x110 | (80437596)
> nt!MmBuildMdlForNonPagedPool
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to %%email.unsub%%
>


You are currently subscribed to ntdev as: xxxxx@emc.com
To unsubscribe send a blank email to %%email.unsub%%

5

If the MDL source was in nonpagedpool and MmBuildMdlForNonPagedPool() was
used,
(for the IRP you send down to TCP) you should set a completion routine in
which you free
the MDL yourself and set Irp->MdlAddress to NULL. However donno if you build
any MDLs yourself. Dump the IRP which is beeing completed, and try to
determine who
initiated the IO completion.

Dan

----- Original Message -----
From: “chen, wei”
To: “NT Developers Interest List”
Sent: Wednesday, September 18, 2002 8:51 PM
Subject: [ntdev] Re: PFN_LIST_CORRUPT (4e)

> hmm, it’s a SCSI irp i was trying to complete. But i didn’t
> unlock the MDL associated with this irp. I did, however,
> sent the MDL down to the TCP using TdiBuildReceive. Unless TCP
> unlocks the MDL after it finishes receiving data, …
>
> Wei
>
> -----Original Message-----
> From: Dan Partelly [mailto:xxxxx@rdsor.ro]
> Sent: Wednesday, September 18, 2002 11:50 AM
> To: NT Developers Interest List
> Subject: [ntdev] Re: PFN_LIST_CORRUPT (4e)
>
>
> Bah, Im an idiot, I just seen that your e-mail provide this . Im Sorry.
>
> Who calls IoCompleteRequest , and what is the IRP is beeing currently
> completed ? Do you try to unlock the MDL yourself, prior initiating Io
> completion,
> or in a completion routine ?
>
> Dan
>
>
> ----- Original Message -----
> From: “chen, wei”
> To: “NT Developers Interest List”
> Sent: Wednesday, September 18, 2002 6:15 PM
> Subject: [ntdev] PFN_LIST_CORRUPT (4e)
>
>
> > Hi,
> > My virtual SCSI driver met a PFN_LIST_CORRUPT (4e) problem
> > on W2k advanced server SP2 with dual CPUs.
> > It doesn’t look like my code causes this problem( i wish).
> >
> > Does anyone have experience with this type of error? Where should
> > i pay special attentions? Thanks in advance.
> >
> > Following are some excepts from Windbg. Hope it can give you some
> > ideas about the problem.
> >
> > Wei
> >
> >
> > 1: kd> !analyze -v
> >
>
*************************************************************************
> >
> > *
> > *
> > * Bugcheck Analysis
> > *
> > *
> > *
> >
>
*************************************************************************
> >
> >
> > PFN_LIST_CORRUPT (4e)
> > Typically caused by drivers passing bad memory descriptor lists (ie:
> calling
> > MmUnlockPages twice with the same list, etc). If a kernel debugger is
> > available get the stack trace.
> > Arguments:
> > Arg1: 00000007, A driver has unlocked a page more times than it locked
it
> > Arg2: 00019fa0, page frame number
> > Arg3: 00000001, current share count
> > Arg4: 00000000, 0
> >
> > Debugging Details:
> > ------------------
> >
> >
> > DEFAULT_BUCKET_ID: DRIVER_FAULT
> >
> > BUGCHECK_STR: 4E
> >
> > LAST_CONTROL_TRANSFER: from 80437570 to 8044c9af
> >
> > STACK_TEXT:
> > ec0239e4 80437570 85445228 a6a16e90 00000104
> > nt!MiDecrementReferenceCount+0x37
> > ec0239fc 8041dc10 85445202 000000c9 a6a16e90 nt!MmUnlockPages+0x110
> > ec023a20 80527a60 b7fb4fdb b7fb4f68 00000000
nt!IopfCompleteRequest+0x1f4
> > ec023a38 ebcc333a 00000000 00020000 b7f84f40 nt!IovCompleteRequest+0xa4
> > …
> > …
> >
> > 1: kd> !pfn 19fa0
> > PFN 00019FA0 at address 86134700
> > flink 00000000 blink / share count 00000001 pteaddress
> C0294490
> > reference count 0000 color 0
> > restore pte 00000080 containing page 001054 Active M
> > Modified
> >
> > 1: kd> dd esp
> > ec0239cc 0000004e 00000007 00019fa0 00000001
> > ec0239dc 00000000 86134700 85445228 80437570
> > ec0239ec 85445228 a6a16e90 00000104 00000000
> > ec0239fc 00000001 8041dc10 85445202 000000c9
> > ec023a0c a6a16e90 ec023a38 80064c40 01003a28
> > ec023a1c 00000000 a6a24fc8 80527a60 b7fb4fdb
> > ec023a2c b7fb4f68 00000000 00a16e90 ec023a54
> > ec023a3c ebcc333a 00000000 00020000 b7f84f40
> >
> > 1: kd> ln 80437570
> > (80437460) nt!MmUnlockPages+0x110 | (80437596)
> > nt!MmBuildMdlForNonPagedPool
> >
> >
> >
> > —
> > You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> > To unsubscribe send a blank email to %%email.unsub%%
> >
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@emc.com
> To unsubscribe send a blank email to %%email.unsub%%
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to %%email.unsub%%
>